Microsoft slammed Google for publicly disclosing a bug on Windows 8.1 despite its request to avoid doing it. Google disclosed the vulnerability two days before Microsoft’s planned fix.
Microsoft calls for a better coordinated vulnerability disclosure
In a blog post, Chris Betz, senior director of Microsoft Security Response Center calls for a better coordinated vulnerability disclosure (CVD) following Google’s action.
According to him, one aspect that needs to be addressed on a CVD debate is timing particularly the amount of time that is acceptable before a researcher can broadly disclose the existence of a bug.
According to him, Microsoft specifically asked Google to work with them to protect customers by withholding details about the Windows 8.1 vulnerability until January 13, the schedule for the release of the fix for the bug.
“Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal,” said Betz.
Google’s decision to disclose the Windows 8.1 bug is part of its Project Zero, a security initiative that requires a 90-day deadline to fix a bug before making a public disclosure.
Betz added that Microsoft believes that a coordinated disclosure is the right approach and minimizes risk to customers. He pointed out, “those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people.”
Microsoft believes that full disclosure is necessary
Betz emphasized that Microsoft believes that full disclosure is necessary because it compels customers to protect themselves even if the vast majority do not take action as they largely depend on the security update that will be released by a software provider.
Furthermore, Betz said responding to security vulnerabilities can be complex, extensive and time consuming. He said, “Vulnerabilities are not all made equal nor according to a well-defined measure. And, an update to an online service can have different complexity and dependencies than a fix to a software product, decade old software platform on which tens of thousands have built applications, or hardware devices. Thoughtful collaboration takes these attributes into account.”
